AWS AWSCloudFormation medium security documentation change
Summary
Added details about administrator account requirements, threat detection activation behavior, format documentation link, and naming constraints for ThreatIntelSet
Security assessment
The change explicitly states that only GuardDuty administrator account users can manage the ThreatIntelSet, which enforces security controls around privilege escalation risks. This clarifies security boundaries and prevents unauthorized modifications to threat intelligence data. The severity is medium as it documents existing security controls rather than patching a vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatintelset.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatintelset.md index 3f93239ee..f377ae856 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatintelset.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatintelset.md @@ -9 +9,3 @@ This is the new _AWS CloudFormation Template Reference Guide_. Please update you -The `AWS::GuardDuty::ThreatIntelSet` resource specifies a new `ThreatIntelSet`. A `ThreatIntelSet` consists of known malicious IP addresses. GuardDuty generates findings based on the `ThreatIntelSet` after it is activated. +The `AWS::GuardDuty::ThreatIntelSet` resource helps you create a list of known malicious IP addresses in your AWS environment. Once you activate this list, GuardDuty will use list the entries in this list as an additional source for threat detection and generate findings when there is an activity associated with these known malicious IP addresses. GuardDuty continues to monitor independently of this custom threat intelligence set. + +Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts. @@ -52 +54 @@ To declare this entity in your AWS CloudFormation template, use the following sy -A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet. +A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to be able to generate findings based on an activity associated with these entries, this list must be active. @@ -93 +95 @@ _Required_ : No -The format of the file that contains the ThreatIntelSet. +The format of the file that contains the `ThreatIntelSet`. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the _Amazon GuardDuty User Guide_. @@ -123 +125,3 @@ _Required_ : Yes -A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet. +The user-friendly name to identify the ThreatIntelSet. + +The name of your list must be unique within an AWS account and Region. Valid characters are alphanumeric, whitespace, dash (-), and underscores (_). @@ -138 +142 @@ _Required_ : No -The tags to be added to a new threat list resource. Each tag consists of a key and an optional value, both of which you define. +The tags to be added to a new threat entity set resource. Each tag consists of a key and an optional value, both of which you define.